azuremicrosoft-graph-apimicrosoft-entra-idgraph-explorer

How to assign Entra user User.Read.All and Group.Read.All from Graph Explorer


I'm getting the same error described in this post:

Microsoft Social Login Approval Required Popup but the context is i'm signing into graph explorer as "user1@mydomain.onmicrosoft.com" and I'm trying to create a specific subscription that needs User.Read.All and Group.Read.All. When i try to assign myself these permissions via Graph Explorer's consent button, I get the prompt that says I need permission and to specify a reason why i'm asking. Id like to get rid of this prompt.

my user consent settings look like this:

enter image description here

And my admin settings: enter image description here

The two users allowed to review access requests are the only 2 users in this test tenant. Including the one I'm using to sign into graph.

Ideally, I would like to configure my tenant so that all users have user.read.all and group.read.all.

I've tried to check Entra->Applications->Graph->Permissions. I've tried to add User.Read.All and Group.Read.All there but i still can't create subscrpition that I need. Any tips would be appreciated.

Edit 1

In myparticular case, in order to get it working, I had to allow users to request access to the specific app.
Allow users to request access to this application? Yes

 Require approval before granting access to this application
 No

enter image description here

And when I sign in as Global Admin into Explorer, I don't get the prompt to consent for all users.
' But your suggestion to allow users to request access is what tipped me off so I'm going to accept the solution.


Solution

  • I have below option selected under User consent settings in my tenant:

    enter image description here

    In Admin consent settings, I enabled below option with Sri as reviewer to admin consent requests:

    enter image description here

    When I logged in to Graph Explorer with local user account and tried to consent User.Read.All permission, I too got "Approval required screen" as below:

    enter image description here

    To approve above consent request, sign in with reviewer account having Global Admin role and approve pending request like this:

    enter image description here

    When I tried to consent User.Read.All permission with local user account now, it worked and I'm able to list users successfully like this:

    GET https://graph.microsoft.com/v1.0/users
    

    Response:

    enter image description here

    If you want to get rid of "Approval required" screen while consenting permissions, disable below option by setting it to 'No':

    enter image description here

    To configure your tenant so that all users have User.Read.All and Group.Read.All permission, login to Graph Explorer with local user having Global Administrator role and make sure to consent permissions by checkmarking "Consent on behalf of your organization" option that won't ask normal users to consent again:

    enter image description here